Example 1 with NMPolicyProvider
use of org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider in project hadoop by apache.
the class ContainerManagerImpl method serviceStart.
@Override
protected void serviceStart() throws Exception {
// Enqueue user dirs in deletion context
Configuration conf = getConfig();
final InetSocketAddress initialAddress = conf.getSocketAddr(YarnConfiguration.NM_BIND_HOST, YarnConfiguration.NM_ADDRESS, YarnConfiguration.DEFAULT_NM_ADDRESS, YarnConfiguration.DEFAULT_NM_PORT);
boolean usingEphemeralPort = (initialAddress.getPort() == 0);
if (context.getNMStateStore().canRecover() && usingEphemeralPort) {
throw new IllegalArgumentException("Cannot support recovery with an " + "ephemeral server port. Check the setting of " + YarnConfiguration.NM_ADDRESS);
}
// If recovering then delay opening the RPC service until the recovery
// of resources and containers have completed, otherwise requests from
// clients during recovery can interfere with the recovery process.
final boolean delayedRpcServerStart = context.getNMStateStore().canRecover();
Configuration serverConf = new Configuration(conf);
// always enforce it to be token-based.
serverConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, SaslRpcServer.AuthMethod.TOKEN.toString());
YarnRPC rpc = YarnRPC.create(conf);
server = rpc.getServer(ContainerManagementProtocol.class, this, initialAddress, serverConf, this.context.getNMTokenSecretManager(), conf.getInt(YarnConfiguration.NM_CONTAINER_MGR_THREAD_COUNT, YarnConfiguration.DEFAULT_NM_CONTAINER_MGR_THREAD_COUNT));
// Enable service authorization?
if (conf.getBoolean(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false)) {
refreshServiceAcls(conf, new NMPolicyProvider());
}
LOG.info("Blocking new container-requests as container manager rpc" + " server is still starting.");
this.setBlockNewContainerRequests(true);
String bindHost = conf.get(YarnConfiguration.NM_BIND_HOST);
String nmAddress = conf.getTrimmed(YarnConfiguration.NM_ADDRESS);
String hostOverride = null;
if (bindHost != null && !bindHost.isEmpty() && nmAddress != null && !nmAddress.isEmpty()) {
//a bind-host case with an address, to support overriding the first
//hostname found when querying for our hostname with the specified
//address, combine the specified address with the actual port listened
//on by the server
hostOverride = nmAddress.split(":")[0];
}
// setup node ID
InetSocketAddress connectAddress;
if (delayedRpcServerStart) {
connectAddress = NetUtils.getConnectAddress(initialAddress);
} else {
server.start();
connectAddress = NetUtils.getConnectAddress(server);
}
NodeId nodeId = buildNodeId(connectAddress, hostOverride);
((NodeManager.NMContext) context).setNodeId(nodeId);
this.context.getNMTokenSecretManager().setNodeId(nodeId);
this.context.getContainerTokenSecretManager().setNodeId(nodeId);
// start remaining services
super.serviceStart();
if (delayedRpcServerStart) {
waitForRecoveredContainers();
server.start();
// check that the node ID is as previously advertised
connectAddress = NetUtils.getConnectAddress(server);
NodeId serverNode = buildNodeId(connectAddress, hostOverride);
if (!serverNode.equals(nodeId)) {
throw new IOException("Node mismatch after server started, expected '" + nodeId + "' but found '" + serverNode + "'");
}
}
LOG.info("ContainerManager started at " + connectAddress);
LOG.info("ContainerManager bound to " + initialAddress);
}
Also used :
ContainerManagementProtocol(org.apache.hadoop.yarn.api.ContainerManagementProtocol)
Configuration(org.apache.hadoop.conf.Configuration)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
InetSocketAddress(java.net.InetSocketAddress)
NodeId(org.apache.hadoop.yarn.api.records.NodeId)
YarnRPC(org.apache.hadoop.yarn.ipc.YarnRPC)
ByteString(com.google.protobuf.ByteString)
IOException(java.io.IOException)
NMPolicyProvider(org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider)
Example 2 with NMPolicyProvider
use of org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider in project hadoop by apache.
the class ResourceLocalizationService method createServer.
Server createServer() {
Configuration conf = getConfig();
YarnRPC rpc = YarnRPC.create(conf);
if (UserGroupInformation.isSecurityEnabled()) {
secretManager = new LocalizerTokenSecretManager();
}
Server server = rpc.getServer(LocalizationProtocol.class, this, localizationServerAddress, conf, secretManager, conf.getInt(YarnConfiguration.NM_LOCALIZER_CLIENT_THREAD_COUNT, YarnConfiguration.DEFAULT_NM_LOCALIZER_CLIENT_THREAD_COUNT));
// Enable service authorization?
if (conf.getBoolean(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false)) {
server.refreshServiceAcl(conf, new NMPolicyProvider());
}
return server;
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
Server(org.apache.hadoop.ipc.Server)
YarnRPC(org.apache.hadoop.yarn.ipc.YarnRPC)
LocalizerTokenSecretManager(org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.security.LocalizerTokenSecretManager)
NMPolicyProvider(org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider)
Aggregations
Configuration (org.apache.hadoop.conf.Configuration)2
YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)2
YarnRPC (org.apache.hadoop.yarn.ipc.YarnRPC)2
NMPolicyProvider (org.apache.hadoop.yarn.server.nodemanager.security.authorize.NMPolicyProvider)2
ByteString (com.google.protobuf.ByteString)1
IOException (java.io.IOException)1
InetSocketAddress (java.net.InetSocketAddress)1
Server (org.apache.hadoop.ipc.Server)1
ContainerManagementProtocol (org.apache.hadoop.yarn.api.ContainerManagementProtocol)1
NodeId (org.apache.hadoop.yarn.api.records.NodeId)1
LocalizerTokenSecretManager (org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.security.LocalizerTokenSecretManager)1
